← Back to Explore
sublimemediumRule
Attachment: PDF with link to DMG file download
This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.
Detection Query
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
// url links to dmg or zip
(
strings.iends_with(.url, ".dmg")
or strings.iends_with(.url, "zip")
)
// and downloads a dmg or a zip
and any(ml.link_analysis(.).files_downloaded,
(
.file_extension == "dmg"
or (
.file_extension in~ $file_extensions_common_archives
// and the zip contains a dmg file
and any(file.explode(.),
(.file_extension =~ "dmg")
// exif inspection if encrypted
or strings.ends_with(.scan.exiftool.zip_file_name,
".dmg"
)
)
)
)
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Malfam: MetaStealer
Raw Content
name: "Attachment: PDF with link to DMG file download"
description: |
This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.
references:
- "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
- "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
- "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
// url links to dmg or zip
(
strings.iends_with(.url, ".dmg")
or strings.iends_with(.url, "zip")
)
// and downloads a dmg or a zip
and any(ml.link_analysis(.).files_downloaded,
(
.file_extension == "dmg"
or (
.file_extension in~ $file_extensions_common_archives
// and the zip contains a dmg file
and any(file.explode(.),
(.file_extension =~ "dmg")
// exif inspection if encrypted
or strings.ends_with(.scan.exiftool.zip_file_name,
".dmg"
)
)
)
)
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Malfam: MetaStealer"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "URL analysis"
id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"